A researcher reported the bug to security site Packet Storm who shared details with Facebook last week. Facebook said it shut the DYI service down for a day for repairs before turning it back on.

Facebook users are able to upload their contacts to the social network and retrieve them as an archive through the DYI tool. The archive, called addressbook[.]html is supposed to contain just the contacts you uploaded, but instead was returning contact details from other users if they had the same email address or phone number in their contact upload.

“In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information,” a post on the Packet Storm site says. “It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users.”

Facebook said it correlates user contact information to make friend recommendations.

“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said in a message from its White Hat program. “Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again.”

The White Hat program facilitates vulnerability disclosures for security researchers and manages the social network’s bug bounty program; the minimum payout if $500 and Packet Storm said Facebook did pay up for the DYI bug.

Packet Storm, meanwhile, shared some details of its discourse with Facebook on the DYI bug. It said Facebook considers users’ contact information the users’ data and they can do what they want with it regardless of whether they’re sharing someone else’s personally identifiable information. Facebook, Packet Storm said, also used the same reasoning when asked if they delete data uploaded by friends if it is not in accordance with the user’s privacy settings.

“The request for privacy controls around my personal data does not seem unreasonable. For one, a contact list may be my friend’s list, but the data is mine. When Facebook stores a credit card number for me, I’m certain they understand very clearly that it is my data and they are a custodian of my data,” Packet Storm said. “The same should apply to a contact list uploaded by someone. It is still my PII (Personally Identifiable Information) regardless of who puts it there and Facebook is still correlating it to my identity, ready to be compromised by malicious parties.”

In the second quarter of 2015 Kaspersky Lab solutions detected and repelled a total of 379,972,834 malicious attacks from online resources. There were 5,903,377 registered notifications about attempte...

Innovative technologies are conquering the financial market, opening up new opportunities for startups. The volume of investment in projects for the banking sector is constantly growing, as is its pot...